Why Exercises Are Non-Negotiable
ISO 22301 Clause 8.5 requires you to test and evaluate BCPs. The gap between documented plans and operational capability is often substantial. A procedure that reads clearly in a document may prove impossible to execute under stress, with incomplete information, or when key people are unavailable. Exercises are the primary evidence of BCMS effectiveness. Auditors examine your exercise program to assess whether your BCMS actually works or is merely documentation that has never been tested.
Exercise Types
Different exercise types serve different purposes and reveal different classes of gaps. The following table shows how they vary in scope, effort, and the value of evidence they provide:
| Exercise Type | Description | Duration | Participants | ISO 22301 Evidence |
|---|---|---|---|---|
| Tabletop | Discussion-based scenario walkthrough | 2–4 hours | BCM team + key staff | Medium |
| Functional/Drill | Single function tested operationally | Half day | Function team | High |
| Full-Scale Simulation | End-to-end BCP activation | Full day+ | All BCM roles | Very High |
| Technical Recovery Test | IT systems recovery to DR | 4–8 hours | IT team | High |
| Communication Drill | Contact tree and notification test | 1 hour | All staff | Medium |
Exercise Frequency Requirements
ISO 22301 does not mandate a specific exercise frequency, but certification body expectations and Indonesian regulatory requirements (particularly OJK expectations for financial institutions) typically assume at least one exercise per critical activity per year. A risk-proportionate approach makes sense: critical activities with high-impact, high-likelihood disruption scenarios should be tested annually; less critical activities may be tested on a longer cycle. The key principle is that every critical activity referenced in your BCP must be exercised at least once per year, across the full calendar of exercises.
Scenario Selection
Avoid scenarios that you know your organization can handle easily. The most valuable exercises are those that stress-test your plans and reveal gaps. Match scenarios to your organizational risk profile: Indonesian-specific scenarios (flood, earthquake, extended power failure, cyber incident) are more relevant than generic examples. Select scenarios that test different aspects of your BCP—one year test IT recovery, the next year test alternate site activation, the next test supply chain disruption.
Exercise Design Methodology
A structured design process ensures exercises are realistic and produce useful findings. Define clear objectives (What capability do we want to test?). Develop the scenario (What is the triggering event?). Create injects—injected messages or information that participants receive during the exercise to simulate the unfolding event. Assign roles and responsibilities. Build the detailed schedule and timing. Plan the debrief to capture findings. Keep exercises realistic without creating actual disruption; if people cannot tell whether this is an exercise or a real event, the exercise has become a crisis.
Post-Exercise Process
Debrief immediately while memories are fresh. Classify findings as critical (impacts ability to execute critical activity), major (significant procedure gap), or minor (documentation improvement). Assign corrective actions to owners with agreed completion dates. Track actions to closure and validate that they are actually completed. Update BCPs based on validated findings. This is the point at which exercises translate into BCP improvements.
Annual Exercise Calendar Template
A pre-planned exercise calendar, approved by leadership at the start of the year, prevents exercises from being cancelled under operational pressure. The following table shows a sample year-round program:
| Quarter | Exercise Type | Scenario Focus | Duration | Lead |
|---|---|---|---|---|
| Q1 | Tabletop | Cyber incident / ransomware | 3 hours | BCMS Manager |
| Q2 | Technical Recovery | DR failover for core systems | 6 hours | IT Lead |
| Q3 | Functional Drill | Alternate site activation | Half day | Facilities + Operations |
| Q4 | Full BCP Review Tabletop | Natural disaster / flooding | 4 hours | All BCM roles |
| KEY IDEA | ISO 22301 does not specify how many exercises you must run per year, but certification body guidance and Indonesian regulatory expectations typically assume at least one exercise per critical activity per year, with a mix of exercise types across the program. |
| IMPORTANT | Exercises that only test scenarios you know you can handle are not exercises—they are demonstrations. The most valuable exercises are those that reveal gaps and generate corrective actions, even if they expose weaknesses. |
| BITLION INSIGHT | The biggest exercise program failure is the exercise that gets cancelled every year due to operational pressure. Build exercises into the organizational calendar at the start of the year, with executive sign-off, and treat cancellation as a BCMS nonconformity. |